Although Fedora or RHEL kickstart accept root password in plain text, it’s not bad idea at all to encrypt them using standard Linux PAM mechanism. There used to be a utility which is no longer available. So I wrote a small script which does that. It is in Fedora 27+ now and on its way to EPEL7. Here is how to use it:

$ man pwkickstart


pwkickstart - generate kickstart passwords


  # pwkickstart

  # md5
  rootpw --iscrypted $1$SI$D964QyK1.Iz/
  # sha256
  rootpw --iscrypted $5$Ll/Q6$SEYqHGso3maNbtBc1wjyiyr2
  # sha512
  rootpw --iscrypted $6$MN7wS$1QE3FmSBrN71tXV8y.Blif1avdhTYt/


Utility pwkickstart generates kickstart passwords from password input and
prints them to standard output in three different formats: md5, sha256 and

Previously grub-crypt provided the same, but it is not longer available in
some Linux distributions.

The output in section was shortened to fit on screen in the SYNOPOSIS example


MIT License

Or you can grab it from my github repo.

Have fun!